2Wire 3800HGV-B won't play nicely with PIX

Discussions about Internet service providers (ISPs), the Meetinghouse Firewall, wired and wireless networking, usage, management, and support of Meetinghouse Internet
aclawson
Senior Member
Posts: 712
Joined: Fri Jan 19, 2007 6:28 pm
Location: Commerce Twp, MI

2Wire 3800HGV-B won't play nicely with PIX

Postby aclawson » Sun Jan 17, 2010 1:34 pm

The AT&T U-verse connection is up an running at one of the buildings but I am having trouble getting the church managed firewall set up. The device that ships with the service is a 2Wire 3800HGV-B modem/router with all of the expected whistles and bells expected in such a device (firewall, DHCP service, etc). The problem is that SLC can't hit the PIX that is installed on the user side of the device. I have found older instructions that indicate I should set the 2Wire gateway to bridge mode but the step by steps include using options that do not exist - I suspect that they were valid at one point but a firmware update removed them.

Has anybody been able to configure the PIX with this particular gateway? Were you able to find a specific bridge mode or did you DMZ the PIX? Does the PIX serve up DHCP addresses or should that IP be static and outside of a DHCP scope set for the internal router?

User avatar
kd7mha
Member
Posts: 156
Joined: Thu Mar 13, 2008 1:27 pm
Location: Logan, Utah

Postby kd7mha » Sun Jan 17, 2010 2:17 pm

aclawson wrote:The AT&T U-verse connection is up an running at one of the buildings but I am having trouble getting the church managed firewall set up. The device that ships with the service is a 2Wire 3800HGV-B modem/router with all of the expected whistles and bells expected in such a device (firewall, DHCP service, etc). The problem is that SLC can't hit the PIX that is installed on the user side of the device. I have found older instructions that indicate I should set the 2Wire gateway to bridge mode but the step by steps include using options that do not exist - I suspect that they were valid at one point but a firmware update removed them.

Has anybody been able to configure the PIX with this particular gateway? Were you able to find a specific bridge mode or did you DMZ the PIX? Does the PIX serve up DHCP addresses or should that IP be static and outside of a DHCP scope set for the internal router?



I don't have any experience with this hardware but looking trough the manual (very briefly) I would say that putting the Church managed firewall in a DMZ would be the appropriate solution, the only thing that you need the 3800HGV-B for is connecting the Church managed firewall to the internet.

The manual I referenced was found here
There are 11 types of people. Those who understand Gray Code and those that don't.

russellhltn
Community Administrator
Posts: 20743
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Postby russellhltn » Sun Jan 17, 2010 4:06 pm

aclawson wrote:Does the PIX serve up DHCP addresses or should that IP be static and outside of a DHCP scope set for the internal router?


To answer your other question, yes, the PIX serves up DHCP for those who are inside the firewall. If you're unable to shutdown the services the modem provides, then the DMZ sounds the most appropriate.
Have you searched the Wiki?
Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.

aclawson
Senior Member
Posts: 712
Joined: Fri Jan 19, 2007 6:28 pm
Location: Commerce Twp, MI

DMZ / port forwarding

Postby aclawson » Mon Jan 18, 2010 6:50 am

I'm running into the problem with SLC being unable to contact the firewall even though it is DMZed. Does anybody know which ports should be forwarded?

I'm guessing that the steps to configure will be as follows:

Disable the DHCP service on the 2Wire
Set the ASA 550x with a static IP in the same subnet as the admin machines
Place the ASA 550x in the DMZ
Forward ports (x1, x2, x3 TCP/UDP - tdb) to the ASA
Where possible plug cat5 drops into the ASA
Configure the wireless router with a static IP address in the same subnet
Disable DHCP and firewall on wireless router
Connect a cat5 patch from the ASA to a LAN port on the wireless router

Does that look about right?

russellhltn
Community Administrator
Posts: 20743
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Postby russellhltn » Mon Jan 18, 2010 2:01 pm

aclawson wrote:Set the ASA 550x with a static IP in the same subnet as the admin machines


That part doesn't sound right. The IP assignment on the internet side of the pix has nothing to do with what's assigned to the admin machines. Have you thought about calling the ISP and asking for a basic modem? I think it would be a better solution in the long run.
Have you searched the Wiki?

Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.

aclawson
Senior Member
Posts: 712
Joined: Fri Jan 19, 2007 6:28 pm
Location: Commerce Twp, MI

Only a local IP if using port forwarding

Postby aclawson » Mon Jan 18, 2010 2:10 pm

If one is using port forwarding then the public side of the ASA would still have a non-routable IP address (10.x.x.x) the public IP still assigned to the 2Wire - all ports would just be forwarded to the device. This 2Wire is the only thing that they provide with the U-Verse accounts (already checked) - maybe another model could be bought, but money is expensive.

aclawson
Senior Member
Posts: 712
Joined: Fri Jan 19, 2007 6:28 pm
Location: Commerce Twp, MI

Confirmed solution

Postby aclawson » Tue Jan 19, 2010 8:16 pm

The steps from http://www.sbbala.com/uverse/pg2.html are specific to the 3800HGV-B and are personally confirmed to work. (Now I have to set up the wireless access point and install and configure the wireless NIC in the other ward's office, but that's job for another day.)

Terminology used:

RG - Residential Gateway, the 3800HGV modem/router/wireless combo unit in this case
ASA - Church managed firewall
PC - Admin computer in the clerk's office

Make sure the church's security software has already been installed before you go follow these steps. Make sure you know the password for the RG - the default is printed on the side of the unit or you may have changed it already.

Once you have the 2Wire (RG) up and running and assuming you have not changed any of the operational settings on the RG.

Take the ASA out of the box, note the serial number (you'll need it when you place the call) and the IP address on the sticker on the top of the unit. The serial number is on the ASA somewhere but is also on the outside of the shipping box.

Run an Ethernet patch cable from PORT 0 on the ASA to one of the LAN ports on the RG

Run an Ethernet patch cable from the PC to one of the LAN ports on the RG

Direct your browser to 192.168.1.254

Click the HOME NETWORK icon at the top of the screen

On the right side of the screen click the 'disable' button next to 'wireless'

Enter the password and/or confirm the action if prompted.

To the left you will see a list of devices on the network. You should see your machine and the ASA. Figure out which of the two is the ASA and click 'Edit firewall settings' for that device.

On the Settings page that opens up scroll all the way to the bottom and select the radio button next to the option 'Allow all applications (DMZplus mode)' and click DONE.

Cycle the power on the ASA unit.

Unplug the Ethernet cable from the back of the PC and plug it into the ASA.

Call LDS Global Services and wade through the phone menus to get to the networking support group.

Tell them you are setting up a new firewall. They will ask for the serial number and IP address from the ASA. Now is the time to specify the security level for the network connection - allow only explicitly permitted websites, deny only explicitly denied websites or an option that is somewhere in the middle.

They will do their thing and you should then be good to go.


Return to “Meetinghouse Internet”

Who is online

Users browsing this forum: No registered users and 1 guest